MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > forum get hacked by sql injection
Full Version: forum get hacked by sql injection
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3

brad-t

2012-07-14, 04:15 AM
so what evidence do you have that this was an sql injection? obviously that would be useful in patching the vulnerability, if there was one.

Leefish

2012-07-14, 05:26 AM
* Leefish settles down with her popcorn.

ekerazha

2012-07-14, 09:52 AM
If it is an sql injection, you'll find http requests with SQL commands in the http server (apache?) logs.

crazy4cs

2012-07-14, 10:58 AM
On what grounds you make accuses or state it? Firstly, you didn't even provided how it was done or yourself are not sure and though saying it was an injection.

I very much doubt what pavemen said, it's possibly a bad forum configuration/permissions to uncheck who can see the forum. Moreover you said, no one even logged ACP.

Justice

2012-07-14, 08:54 PM
If you are using MyTabs it has a sql injection in there.

Nathan Malcolm

2012-07-14, 10:08 PM
(2012-07-14, 08:54 PM)Justice Wrote: [ -> ]If you are using MyTabs it has a sql injection in there.

It had an SQLi vulnerability in there. It was fixed last year.

yes123

2012-07-15, 07:27 AM
(2012-07-14, 03:39 AM)Nathan Malcolm Wrote: [ -> ]When vulnerabilities are made public we patch them within days, if not hours. There are no known vulnerabilities in the latest version of MyBB.

We're not covering anything up, we have no reason to.
No known vulnerabilities?

http://packetstormsecurity.org/files/113...68-sql.txt
http://seclists.org/bugtraq/2012/Jun/133

Nathan Malcolm

2012-07-15, 07:33 AM
(2012-07-15, 07:27 AM)yes123 Wrote: [ -> ]
(2012-07-14, 03:39 AM)Nathan Malcolm Wrote: [ -> ]When vulnerabilities are made public we patch them within days, if not hours. There are no known vulnerabilities in the latest version of MyBB.

We're not covering anything up, we have no reason to.
No known vulnerabilities?

http://packetstormsecurity.org/files/113...68-sql.txt
http://seclists.org/bugtraq/2012/Jun/133

Both were incorrectly reported as MyBB vulnerabilities. Those vulnerabilities are within plugins.

http://community.mybb.com/member.php?action=profile&uid=1'
http://community.mybb.com/announcements.php?aid=7'

As I previously stated, there are no known vulnerabilities in the latest version of MyBB.

Snickers

2012-07-21, 06:16 PM
Any idea what plugin?

illusionalp

2012-07-21, 07:05 PM
(2012-07-21, 06:16 PM)Snickers Wrote: [ -> ]Any idea what plugin?

there is allot of plugins out there that might be have vulnerability's
i recommend you download your plugins from here : http://mods.mybb.com/mods
and perform a scan before and after installing the plugin and check if
there is a different in the results , anyway lets not go off-topic
OP please provide a proof that the sqli vulnerability was in the mybb script not in one
of your plugins
regards
illusion
Pages: 1 2 3
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > forum get hacked by sql injection